b"Office of Audits and Evaluations\nReport No. AUD-14-004\n\n\nThe FDIC\xe2\x80\x99s Actions to Address Consumer\nProtection Violations and Deficiencies\n\n\n\n\n                                   March 2014\n\x0c                                    Executive Summary\n\n                                    The FDIC\xe2\x80\x99s Actions to Address Consumer\n                                    Protection Violations and Deficiencies\n                                                                                    Report No. AUD-14-004\n                                                                                               March 2014\n\nWhy We Did The Audit\nFDIC-supervised financial institutions are responsible for developing and implementing compliance\nmanagement systems to ensure compliance with federal consumer protection laws and regulations. The\nFDIC routinely examines these institutions for potential deficiencies in their compliance management\nsystems and for potential violations of consumer protection laws and regulations. Compliance\nexaminations and follow-up supervisory attention help to ensure that consumers obtain the benefits and\nprotection afforded to them under the law. Given the importance of this area, we conducted this audit.\n\nThe objective of this performance audit was to determine whether the FDIC\xe2\x80\x99s actions to address\nconsumer protection violations and deficiencies comply with applicable policies, procedures, and\nguidelines and the extent to which the actions are consistently handled by the Division of Depositor and\nConsumer Protection\xe2\x80\x99s (DCP) Regional Offices. The FDIC Office of Inspector General engaged the\nindependent professional services firm of KPMG LLP to provide assistance on the audit.\n\nBackground\nWithin the FDIC, DCP has primary responsibility for examining institutions for compliance with fair\nlending, privacy, and various other consumer protection laws and regulations. Examiners document the\nresults of their work in compliance examination reports, which are provided to the institution\xe2\x80\x99s\nmanagement and Board of Directors. Examiner recommendations and discussions with management\ngenerally result in the correction of identified violations and deficiencies. However, when such efforts\nare not successful, or when violations or deficiencies are significant, the FDIC may take stronger steps in\nthe form of informal supervisory actions or formal enforcement actions against an institution or\nresponsible individuals. Such actions can include the assessment of civil money penalties (CMP) or\norders to pay restitution to consumers who were harmed because of violations. The FDIC typically\nperforms follow-up examinations or onsite visits within 12 months of completing an examination that\nassigns a \xe2\x80\x9c4\xe2\x80\x9d or \xe2\x80\x9c5\xe2\x80\x9d compliance rating.\n\nDCP has developed a formal consultation process that requires officials in the Regional Offices and the\nWashington Office to consult on significant, unusual, and emerging supervisory matters, including\nsupervisory actions, violations of certain laws and regulations, and weak compliance ratings. The\nconsultation process is intended to help ensure appropriate, consistent, and timely consideration of such\nmatters.\n\nAudit Results\nWe found that the FDIC\xe2\x80\x99s actions to address the consumer protection violations and deficiencies that we\nreviewed generally aligned with applicable policies, procedures, and guidelines. In addition, compliance\nexamination reports identified the specific laws and regulations that were violated, the nature and causes\nof the violations, the recommended corrective actions, and the responses of the institutions\xe2\x80\x99 management.\nFurther, follow-up examinations or visits were conducted timely, and CMPs that the FDIC issued were\nwell supported and documented and included a legal opinion that addressed consideration of applicable\nlaws, violations, mitigating factors, and monetary penalties.\n\n\n\n                                                     i\n\n                               To view the full report, go to www.fdicig.gov\n\x0c                                     The FDIC\xe2\x80\x99s Actions to Address Consumer\n  Executive Summary\n                                     Protection Violations and Deficiencies\n                                                                                     Report No. AUD-14-004\n                                                                                                March 2014\n\nWhile the above results are positive, the FDIC\xe2\x80\x99s compliance information systems used to record, track,\nand monitor consumer compliance activities did not always contain pertinent information on the\nfollowing compliance activities:\n\n    \xef\x82\xb7   the basis for decisions on whether and what type of supervisory action should be taken,\n    \xef\x82\xb7   restitutions to consumers, and\n    \xef\x82\xb7   consultations among DCP officials regarding proposed supervisory actions.\n\nIn some cases, this information was maintained outside of the FDIC\xe2\x80\x99s compliance information systems in\nmemoranda and other documents. Recording and tracking key supervisory information in a consistent\nand centralized manner helps to ensure its reliability, reduces the amount of time and effort needed to\nlocate information and respond to inquiries, and mitigates the risk associated with staff turnover. Such an\napproach also provides increased assurance of consistency in the supervision of institutions.\n\nDCP has established a number of internal controls to promote consistency among its Regional Offices in\nthe handling of actions to address violations and deficiencies. Such controls include the Compliance\nExamination Manual, the Formal and Informal Action Procedures Manual, the National Review Examiner\nManual, a consultation process, restitution tracking procedures, and the compliance examination report\nreview process. In addition, the FDIC established the Case Review Committee and has issued guidance\nto examiners on consumer protection matters to help ensure a consistent supervisory approach. Further,\nthe supervisory matters that we reviewed, including actions taken to address violations and deficiencies,\ngenerally appeared to be consistently handled by DCP\xe2\x80\x99s Regional Offices. However, we did note\ndifferences among DCP\xe2\x80\x99s regional consultation policies and procedures that the FDIC should consider as\npart of its initiative to update those procedures for consistency with recently-issued national consultation\nprocedures.\n\nOur report also includes an observation that DCP\xe2\x80\x99s guidance to examiners on assigning compliance\nratings allows more flexibility than the definitions provided in the Uniform Interagency Consumer\nCompliance Rating System (UICCRS). DCP officials informed us that there have been high-level\ndiscussions among Federal Financial Institutions Examination Council participants about the need to\nclarify the UICCRS ratings definitions. Finally, we identified two potential control improvements that we\ndid not consider significant in the context of the audit objective. We communicated those potential\ncontrol improvements separately to DCP management.\n\nRecommendations and Corporation Comments\nOur report contains four recommendations addressed to the Director, DCP, that are intended to improve\nDCP\xe2\x80\x99s internal controls for addressing consumer protection violations and deficiencies identified during\ncompliance examinations. The Director, DCP, provided a written response, dated March 17, 2014, to a\ndraft of this report. In the response, the Director concurred with all four of the report\xe2\x80\x99s recommendations\nand described planned corrective actions that address the recommendations. With respect to the report\xe2\x80\x99s\nobservation, the Director, DCP, plans to contact other agencies to determine whether there is mutual\ninterest in updating the UICCRS definitions.\n\n\n\n\n                                                     ii\n\n                               To view the full report, go to www.fdicig.gov\n\x0c                                  Contents\n\n                                                             Page\nBackground                                                     2\n\nAudit Results                                                  5\n\nRecording Supervisory Information in the FDIC\xe2\x80\x99s Compliance     6\nInformation Systems\n\nRegional Consultation Policies and Procedures                 10\n\nObservation: Consumer Compliance Rating System                11\n\nCorporation Comments and OIG Evaluation                       12\n\nAppendices\n     1. Objective, Scope, and Methodology                     13\n     2. Glossary of Terms                                     18\n     3. Acronyms and Abbreviations                            21\n     4. Corporation Comments                                  22\n     5. Summary of the Corporation\xe2\x80\x99s Corrective Actions       25\n\nTables\n      1. Institutions Selected for Review                     14\n      2. Institutions Actually Reviewed                       15\n\x0cFederal Deposit Insurance Corporation                                             Office of Audits and Evaluations\n3501 Fairfax Drive, Arlington, Virginia 22226                                          Office of Inspector General\n\n\nDATE:                                       March 28, 2014\n\nMEMORANDUM TO:                              Mark E. Pearce, Director\n                                            Division of Depositor and Consumer Protection\n\n\n                                            /Signed/\nFROM:                                       Stephen M. Beard\n                                            Deputy Inspector General for Audits and Evaluations\n\nSUBJECT:                                    The FDIC\xe2\x80\x99s Actions to Address Consumer Protection\n                                            Violations and Deficiencies (Report No. AUD-14-004)\n\n\nThis report presents the results of our audit of the FDIC\xe2\x80\x99s actions to address consumer\nprotection violations and deficiencies identified during compliance examinations.\nFDIC-supervised financial institutions are responsible for developing and implementing\ncompliance management systems to ensure compliance with federal consumer protection\nlaws and regulations.1 The FDIC routinely examines these institutions for potential\ndeficiencies in their compliance management systems and for potential violations of\nconsumer protection laws and regulations. Although violations and deficiencies can\noften be addressed through examiner recommendations and discussions with the\nmanagement of the institution, serious matters may result in monetary penalties and\nenforcement actions against the institution.\n\nThe audit objective was to determine whether the FDIC\xe2\x80\x99s actions to address consumer\nprotection violations and deficiencies comply with applicable policies, procedures, and\nguidelines and the extent to which the actions are consistently handled by the Division of\nDepositor and Consumer Protection\xe2\x80\x99s (DCP) Regional Offices. To address our objective,\nwe interviewed officials in DCP and the FDIC\xe2\x80\x99s Legal Division about the Corporation\xe2\x80\x99s\nprocesses for addressing consumer protection violations and deficiencies and for ensuring\na consistent approach. We also reviewed supervisory information related to a non-\nstatistical sample2 of 93 FDIC-supervised financial institutions for which DCP had\nidentified violations or deficiencies, issued a supervisory action, or referred a violation to\nanother federal agency. 3\n\n\n\n\n1\n  Terms that are underlined when first used in this report are defined in Appendix 2, Glossary of Terms.\n2\n  A non-statistical sample is judgmental and cannot be projected to the population. See Appendix 1 for\ndetails regarding our sampling methodology.\n3\n  For the purposes of this report, supervisory actions broadly include informal actions such as Bank Board\nResolutions (BBR), Memoranda of Understanding (MOU), and voluntary restitutions, and formal\nenforcement actions such as Civil Money Penalties (CMP), cease-and-desist orders (C&D)/consent orders\n(CO), and restitution orders. Referrals to other agencies are not considered to be supervisory actions.\n\x0cWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Appendix 1 of this report includes additional information about our\nobjective, scope, and methodology; Appendix 2 contains a glossary of key terms;\nAppendix 3 contains a list of acronyms and abbreviations; Appendix 4 contains the\nCorporation\xe2\x80\x99s comments on this report; and Appendix 5 contains a summary of the\nCorporation\xe2\x80\x99s corrective actions.\n\n\nBackground\nThe FDIC has statutory responsibility for examining the financial institutions it\nsupervises for compliance with fair lending, privacy, and various other consumer\nprotection laws and regulations.4 Within the FDIC, DCP has primary responsibility for\ndirecting and managing compliance examinations, policy, research, and enforcement\nactivities related to consumer protection and community affairs. DCP relies on\ncompliance examinations as the primary means for determining whether financial\ninstitutions meet their responsibility for complying with consumer protection laws and\nregulations. DCP examines institutions every 12-36 months, depending on the\ninstitution\xe2\x80\x99s size and compliance and Community Reinvestment Act (CRA) ratings\nassigned at the most recent examination. According to DCP\xe2\x80\x99s Compliance Examination\nManual, examiners perform the following steps during compliance examinations:\n\n    \xef\x82\xb7   assess the quality of the institution\xe2\x80\x99s compliance management system for\n        implementing federal consumer protection statutes and regulations,\n\n    \xef\x82\xb7   review compliance with relevant laws and regulations, and\n\n    \xef\x82\xb7   initiate supervisory action when elements of an institution\xe2\x80\x99s compliance\n        management system are deficient or when significant violations of law are found.\n\nAt the conclusion of an examination, examiners discuss their findings and\nrecommendations with the institution\xe2\x80\x99s management and obtain a commitment for\ncorrective action, if warranted. Examiners document the results of their work (including\nboth strengths and weaknesses in the institution\xe2\x80\x99s compliance management system) in\ncompliance examination reports, which are provided to the institution\xe2\x80\x99s management and\nBoard of Directors. Under certain circumstances, the FDIC must refer violations\nidentified by examiners to other federal agencies, such as the Department of Justice\n(DOJ), when there is reason to believe that a pattern or practice of discouraging or\ndenying applications for credit exists in violation of ECOA\xe2\x80\x99s general rule prohibiting\ndiscrimination. The FDIC must also notify the Department of Housing and Urban\nDevelopment (HUD) of certain violations of the FHAct.\n\n4\n  Such laws include the Equal Credit Opportunity Act (ECOA), Fair Housing Act (FHAct), Home\nMortgage Disclosure Act (HMDA), Real Estate Settlement Procedures Act (RESPA), and Truth in Lending\nAct (TILA). The FDIC and other federal agencies issue regulations for implementing consumer protection\nlaws, as appropriate. The FDIC also coordinates with other regulatory agencies, such as the Consumer\nFinancial Protection Bureau (CFPB), on relevant consumer protection matters.\n\n\n                                                  2\n\x0cExcept where DCP management determines it is unnecessary, a follow-up examination or\nonsite visit is conducted within 12 months of completing any examination that assigns a\n\xe2\x80\x9c4\xe2\x80\x9d or \xe2\x80\x9c5\xe2\x80\x9d compliance rating. The purpose of the follow-up is to assess the institution\xe2\x80\x99s\nimplementation of corrective actions. Additional follow-up is performed when initial\ncorrective actions are determined to be insufficient. An institution\xe2\x80\x99s progress in\nimplementing informal or formal supervisory actions is typically assessed through\nquarterly progress reports from, and direct communication with, the management of the\ninstitution. In addition, the FDIC\xe2\x80\x99s Legal Division supports DCP in its supervisory\nactivities. For example, the Legal Division reviews and opines on proposed enforcement\nactions.\n\nThe FDIC follows the Uniform Interagency Consumer Compliance Rating System\n(UICCRS), approved by the Federal Financial Institutions Examination Council (FFIEC),\nwhen conducting compliance examinations. Under this system, financial institutions are\nassigned a consumer compliance rating based on an evaluation of the nature and extent of\nthe institution\xe2\x80\x99s compliance with consumer protection and civil rights laws and\nregulations and the adequacy of their operating systems designed to ensure compliance\non a continuing basis. Ratings are based on a scale of 1 to 5, with 1 indicating a strong\ncompliance position and 5 indicating an institution in need of the strongest supervisory\nattention. The majority of FDIC-supervised institutions have ratings that reflect\nsatisfactory or strong consumer compliance programs. Only 234 institutions\xe2\x80\x94less than\n6 percent of all FDIC-supervised institutions\xe2\x80\x94were rated \xe2\x80\x9c3,\xe2\x80\x9d \xe2\x80\x9c4,\xe2\x80\x9d or \xe2\x80\x9c5\xe2\x80\x9d for consumer\ncompliance purposes as of December 31, 2013.\n\nSupervisory Actions\n\nFrequently, examiner recommendations and discussions with management result in the\ncorrection of identified violations and deficiencies. When such efforts are not successful,\nor when the violations or deficiencies are significant, the FDIC may take stronger steps in\nthe form of supervisory actions against an institution or responsible individuals. Many\nfactors must be considered in determining whether a supervisory action should be taken.\nAccording to the FDIC\xe2\x80\x99s Formal and Informal Action Procedures Manual (FIAP\nManual), such actions may be appropriate under the following circumstances.\n\n   \xef\x82\xb7   Informal actions are generally appropriate for institutions with a composite\n       \xe2\x80\x9c3\xe2\x80\x9d rating for compliance. This rating indicates that the institution has\n       weaknesses that, if left uncorrected, could cause the institution\xe2\x80\x99s compliance\n       position to deteriorate.\n\n   \xef\x82\xb7   Formal actions are generally appropriate for institutions with a composite \xe2\x80\x9c4\xe2\x80\x9d or\n       \xe2\x80\x9c5\xe2\x80\x9d rating for compliance, such as when there is a high volume or severity of\n       violations.\n\nDCP has developed a formal consultation process that requires officials in the Regional\nOffices and the Washington Office to consult on significant, unusual, and emerging\nsupervisory matters, including supervisory actions, violations of certain laws and\n\n\n                                             3\n\x0cregulations, and weak compliance ratings.5 The consultation process is intended to help\nensure appropriate, consistent, and timely consideration of such matters. In addition, the\nFDIC\xe2\x80\x99s Board of Directors has established a Case Review Committee (CRC) to review\nand approve or disapprove proposed orders or notices with respect to certain enforcement\nactions. As it relates to compliance matters, the CRC has authority over proposed actions\nto order restitution and assess CMPs\xe2\x80\x94except CMPs related to Flood Insurance\nviolations\xe2\x80\x94and to review certain other compliance-related enforcement actions, such as\nthose that may affect corporate policy or attract unusual attention or publicity.\n\nDuring 2013, the FDIC issued 161 supervisory actions, consisting of 80 informal and\n81 formal actions, to address consumer protection matters. In addition to BBRs and\nMOUs, the informal actions included 10 voluntary restitutions made by institutions in the\nform of refunds to consumers who were harmed by the institutions\xe2\x80\x99 failure to comply\nwith various laws. Formal actions may also impose requirements for institutions to pay\nrestitution. In 2013, the FDIC ordered 6 institutions to pay almost $47 million in\nrestitution to over 387,000 consumers. These refunds related to unfair or deceptive acts\nor practices (UDAP) by institutions. The FDIC also issued 54 CMPs totaling over\n$10 million payable to the Department of the Treasury (Treasury) in 2013. The majority\nof these CMPs involved Flood Insurance, UDAP, or ECOA violations.\n\nInformation Systems\n\nThe FDIC\xe2\x80\x99s System of Uniform Reporting of Compliance and CRA Examinations\n(SOURCE) and the Formal and Informal Action Tracking System (FIAT) are the primary\ninformation systems used by DCP to support compliance supervisory activities.\nSOURCE is DCP\xe2\x80\x99s system of record for data and documents associated with examination\nactivities. The system is used to support examination and review processes, reporting,\nmanagement and policy decisions, and strategic planning. FIAT is a module within the\nFDIC\xe2\x80\x99s Virtual Supervisory Information On the Net System (ViSION) and serves as the\ncentral source of information for informal and formal actions. SOURCE is relied upon at\nall levels of DCP and by external stakeholders, including the Treasury, CFPB, and state\nbanking authorities. DCP also uses various other information systems, such as the\nRegional Automated Document Distribution and Imaging System (RADD) and the\nRegional Report Repository (R3), to support compliance supervisory activities. For\npurposes of this report, we collectively refer to SOURCE, FIAT, RADD, and R3 as the\nFDIC\xe2\x80\x99s compliance information systems.\n\nIn the course of performing our work, we found that the FDIC\xe2\x80\x99s compliance information\nsystems were generally not well integrated, did not always support DCP\xe2\x80\x99s workflow\nprocesses or activities that we reviewed, and sometimes lacked relevant data or contained\n\n5\n The process is defined in Regional Directors Memoranda (RD Memorandum), entitled Consultation\nProcess for Compliance and CRA Examinations (Transmittal No. 2011-26, dated November 18, 2011) and\nConsultation Policies and Procedures for Consumer Compliance and Community Reinvestment Act Issues\n(Transmittal No. 2008-42, dated December 30, 2008). These transmittals were superseded by RD\nMemorandum, Consultation Process for Compliance and CRA Examinations (Transmittal No. 2013-013-\nDCP, dated December 13, 2013).\n\n\n                                                4\n\x0credundant data. These weaknesses present a risk to the reliability of the information that\nthe systems maintain and increase the amount of time needed to locate key information.\nThe FDIC recognizes that its current portfolio of systems supporting consumer\ncompliance and CRA activities does not efficiently or effectively support existing\nbusiness processes. In 2013, the FDIC began a multi-year initiative to modernize\nSOURCE and certain other ancillary compliance-related systems. The FDIC also has\nplans to modernize ViSION. The FDIC should consider the findings in this report in\nformulating and implementing its information systems modernization efforts.\n\n\nAudit Results\nWe found that the FDIC\xe2\x80\x99s actions to address the consumer protection violations and\ndeficiencies that we reviewed generally aligned with applicable policies, procedures, and\nguidelines. In addition, compliance examination reports identified the specific laws and\nregulations that were violated, the nature and causes of the violations, the recommended\ncorrective actions, and the responses of the institutions\xe2\x80\x99 management. Further, follow-up\nexaminations or visits were conducted timely, and CMPs that the FDIC issued were well\nsupported and documented and included a legal opinion that addressed consideration of\napplicable laws, violations, mitigating factors, and monetary penalties.\n\nWhile the above results are positive, the FDIC\xe2\x80\x99s compliance information systems used to\nrecord, track, and monitor consumer compliance activities did not always contain\npertinent information on the following compliance activities:\n\n   \xef\x82\xb7   the basis for decisions on whether and what type of supervisory action should be\n       taken,\n\n   \xef\x82\xb7   restitutions to consumers harmed by an institution\xe2\x80\x99s failure to comply with\n       consumer protection laws and regulations, and\n\n   \xef\x82\xb7   consultations among Field Office, Regional Office, and Washington Office\n       officials regarding proposed supervisory actions.\n\nIn some cases, this information was maintained outside of the FDIC\xe2\x80\x99s compliance\ninformation systems in memoranda and other documents. Recording and tracking key\nsupervisory information in a consistent and centralized manner helps to ensure its\nreliability, reduces the amount of time and effort needed to locate information and\nrespond to inquiries, and mitigates the risk associated with staff turnover. Such an\napproach also provides increased assurance of consistency in the supervision of\ninstitutions.\n\nDCP has established a number of internal controls to promote consistency among its\nRegional Offices in the handling of actions to address violations and deficiencies. Such\ncontrols include the Compliance Examination Manual, the FIAP Manual, the National\nReview Examiner Manual (NRE Manual), a consultation process, restitution tracking\n\n\n                                             5\n\x0cprocedures, and the compliance examination report review process. In addition, the\nFDIC established the CRC and has issued guidance to examiners on consumer protection\nmatters to help ensure a consistent supervisory approach. Further, the supervisory\nmatters that we reviewed, including actions taken to address violations and deficiencies,\ngenerally appeared to be consistently handled by DCP\xe2\x80\x99s Regional Offices. However, we\ndid note differences among DCP\xe2\x80\x99s regional consultation policies and procedures that the\nFDIC should consider as part of its initiative to update those procedures for consistency\nwith recently-issued national consultation procedures.\n\nIn addition, we identified two potential control improvements that we did not consider\nsignificant in the context of the audit objective. These improvements pertain to how DCP\nrecords and organizes information on the results of CRC proceedings and referrals of\nviolations to other federal agencies. We communicated these issues separately to DCP\nmanagement officials. Our report also includes an observation that DCP\xe2\x80\x99s guidance to\nexaminers on assigning compliance ratings allows more flexibility than the definitions\nprovided in the UICCRS. DCP officials informed us that there have been high-level\ndiscussions among FFIEC participants about the need to clarify the UICCRS ratings\ndefinitions.\n\n\nRecording Supervisory Information in the FDIC\xe2\x80\x99s Compliance\nInformation Systems\nAlthough the FDIC\xe2\x80\x99s compliance information systems contained information pertaining\nto key supervisory actions for the institutions we reviewed, we did note exceptions. As\ndescribed below, the systems did not always contain pertinent information regarding\ndecisions about supervisory actions, restitution payments to consumers, or consultations\nabout proposed supervisory actions.\n\nBasis for Decisions on Supervisory Actions\n\nThe Compliance Examination Manual states that SOURCE is the system of record for the\ncompliance examination program. The system is used extensively by field supervisors,\nexaminers, review examiners, and Washington Office policy staff for reporting and\nmanagement decision-making. Among other functions, SOURCE captures examination\nsummary information, tracks information through the consultation process, and facilitates\nthe reporting of examination data for legislatively-mandated reporting. Additionally,\nFIAT serves as a central source of information for supervisory actions.\n\nThe FDIC\xe2\x80\x99s compliance information systems did not contain information that adequately\nexplained the basis for decisions on supervisory actions\xe2\x80\x94such as actions that were taken\nor actions that were recommended by DCP or supported by Legal Division opinions but\nultimately not taken\xe2\x80\x94for 15 of the 93 institutions that we reviewed. Several examples\nfollow.\n\n\n\n\n                                            6\n\x0c    \xef\x82\xb7   For five institutions, DCP and/or Legal Division staff recommended or considered\n        a stronger supervisory action (e.g., restitution order, CMP, or C&D/CO) than was\n        ultimately taken. However, the FDIC\xe2\x80\x99s compliance information systems did not\n        contain an explanation of why the stronger actions were not ultimately pursued or\n        the basis for the actions that were taken.\n\n    \xef\x82\xb7   For three institutions, the FDIC\xe2\x80\x99s compliance information systems did not\n        indicate why supervisory actions related to Flood Insurance violations cited\n        during examinations were not pursued. In one case, the institution\xe2\x80\x99s failure to\n        comply with Flood Insurance requirements resulted in consumer harm totaling\n        $78,000.6 In the other two cases, the systems did not indicate why the cited\n        violations did not represent a pattern or practice requiring the payment of CMPs.\n\n    \xef\x82\xb7   For two institutions with the same action in place for several years, the FDIC\xe2\x80\x99s\n        compliance information systems did not indicate why stronger action had not\n        been pursued to address continued deficiencies in the institutions\xe2\x80\x99 compliance\n        management systems.\n\nDCP Regional Office officials provided additional information pertaining to the matters\ndescribed above. These officials acknowledged the importance of maintaining current,\naccurate, and complete information about supervisory actions in the FDIC\xe2\x80\x99s compliance\ninformation systems. In addition, DCP officials in the Washington Office indicated that\ninformation in the FDIC\xe2\x80\x99s compliance information systems pertaining to supervisory\nactions has historically focused on actions that have been taken and that additional\nemphasis on documenting actions considered or recommended, but not pursued, would\nbe beneficial. Recording such information in DCP\xe2\x80\x99s compliance information systems\ncould provide greater assurance of consistency in the supervision of institutions and\nfacilitate planning for subsequent examinations.\n\nRestitution to Consumers\n\nA DCP RD Memorandum, entitled Procedures for Handling the Payment,\nDocumentation, and Tracking of Restitution to Customers (Transmittal No. 2012-001-\nDCP, dated March 12, 2012), states that when examiners identify a violation where\nrestitution to consumers is appropriate, the Regional Office will track the amount of the\nrestitution and the number of consumers impacted in FIAT.7 FIAT is designed to track\ntwo types of restitution: voluntary and ordered. According to DCP officials, voluntary\nrestitution occurs when an institution agrees to pay restitution immediately upon\nnotification of a violation and before the conclusion of the examination. Ordered\n6\n  Section 339.3(a) of the FDIC Rules and Regulations requires that the building, mobile home, or personal\nproperty securing a designated loan be covered by flood insurance for the term of the loan. Section 339.7\nrequires a financial institution or servicer to purchase insurance on the borrower\xe2\x80\x99s behalf if the borrower\nfails to obtain flood insurance within 45 days after notification.\n7\n  Prior to the issuance of the RD Memorandum, DCP tracked restitution using various manual and\nautomated systems depending on the type of violation or corrective program involved. The use of disparate\nsystems created difficulty in identifying and aggregating the amount of consumer harm addressed through\nexamination and enforcement activities.\n\n\n                                                    7\n\x0crestitution occurs when the FDIC pursues an enforcement action to compel an institution\nto pay restitution. When an institution discovers and corrects a violation and pays\nrestitution in a timely manner outside of the examination process, no recordkeeping of the\nrestitution is required by DCP policy.\n\xc2\xa0\nDCP generally recorded and tracked the amount of restitution and the number of\nconsumers impacted in FIAT for the institutions we reviewed. However, we did note\nexceptions. Specifically, FIAT lacked required information for 5 of the 34 institutions in\nour sample that involved voluntary or ordered restitution payments subsequent to the\nissuance of DCP\xe2\x80\x99s March 2012 RD Memorandum. Details regarding these exceptions\nfollow.\n\n   \xef\x82\xb7   For two of the institutions, FIAT contained no information about required\n       restitution for violations cited in the compliance examination reports.\n       Supervisory documentation that we reviewed outside of FIAT indicated that one\n       institution had ECOA violations involving restitution payments totaling $750 to\n       47 consumers and the other institution had a TILA violation involving one\n       consumer, but we were not able to locate documentation indicating the amount of\n       required restitution.\n\n   \xef\x82\xb7   For the three remaining institutions, FIAT contained information pertaining to the\n       amount of restitution and the number of consumers impacted for some, but not all,\n       of the violations identified during the examinations. Supervisory documentation\n       that we reviewed outside of FIAT indicated that one institution had ECOA\n       violations involving restitution payments totaling $4,269 to 21 consumers, one\n       institution had a TILA violation involving a restitution payment of $420 to one\n       consumer, and the other institution had a RESPA violation involving a restitution\n       payment of $300 to one consumer.\xc2\xa0\n\nDCP\xe2\x80\x99s March 2012 RD Memorandum requires the Regional Offices to enter restitution\npayments in FIAT by the eighth day of the month following the month of payment.\nIncomplete information in FIAT regarding restitutions presents an increased risk that\nconsumers impacted by violations of laws and regulations may not receive appropriate\nrestitution and that reports to management and to the Congress may not be complete.\nManagement emphasis on the importance of recording restitution information in FIAT as\nprescribed in the March 2012 RD Memorandum could help to mitigate the types of\nexceptions that we identified.\n\nWe also noted inconsistencies among regional DCP officials with respect to their\nunderstanding of when restitution should be categorized as voluntary or ordered. Some\nDCP officials indicated that they categorize restitutions as ordered if there is a statutory\nrequirement for the institution to pay the restitution (such as for certain TILA violations)\nor if the FDIC has authority to impose restitution, such as with certain instances under\nSection 8(b) of the Federal Deposit Insurance Act (FDI Act). However, other DCP\nofficials indicated that they categorize such restitutions as voluntary if the institution\nagrees to pay the restitution prior to DCP pursuing a formal order. This inconsistency\n\n\n\n                                              8\n\x0ccan be attributed, in part, to the lack of a formal definition for voluntary and ordered\nrestitution. Inconsistent treatment of restitution can affect the reliability of reporting as\nFIAT is designed to track voluntary and ordered restitution separately.\n\nConsultations\n\nAccording to the NRE Manual, the consultation process is intended to promote ongoing\ncommunication of examination issues between field staff and management and applicable\nRegional Office and Washington Office staff and management. Consultations help to\nensure that examination processes and procedures are consistently applied on a regional\nand nationwide basis. In addition, DCP\xe2\x80\x99s Washington Office has issued several RD\nMemoranda that provide guidance on the consultation process, and DCP\xe2\x80\x99s Regional\nOffices have developed their own consultation policies and procedures that support the\nnational consultation process. Both the NRE Manual and the regional consultation\npolicies and procedures define the types of actions and issues that require a consultation,\nand both state that consultations must be recorded in SOURCE.\n\nOf the 58 institutions that we reviewed that involved issues or actions requiring a\nconsultation, we noted 10 instances in which SOURCE did not indicate whether a\nconsultation had occurred. These issues and actions consisted of the following:8\n\n       \xef\x82\xb7   Consent Orders \xe2\x80\x93 3 instances.\n       \xef\x82\xb7   Restitutions \xe2\x80\x93 3 instances.\n       \xef\x82\xb7   MOUs \xe2\x80\x93 2 instances.\n       \xef\x82\xb7   BBRs \xe2\x80\x93 1 instance.\n       \xef\x82\xb7   Potential or actual RESPA Section 8 violations \xe2\x80\x93 1 instance.\n\nWe also noted six instances in which a consultation regarding an MOU or BBR was\nincorporated into consultations about the institutions\xe2\x80\x99 ratings or violations. Regional\nconsultation procedures state that separate records should be created in SOURCE for\neach issue or action requiring a consultation.\n\nThe exceptions we noted may be attributed to oversights or a lack of awareness on the\npart of examiners regarding the requirements for recording consultations in SOURCE. In\nsome cases, consultation discussions may have occurred and were documented outside of\nSOURCE. Recording consultations in SOURCE helps to ensure that relevant\ninformation is readily available to those who need it and increases management\xe2\x80\x99s\nassurance of appropriate, timely, and consistent treatment of issues and actions requiring\nconcurrence from Regional Offices and/or the Washington Office.\n\n\n\n\n8\n    It should be noted that some examinations involved multiple issues and/or actions requiring consultation.\n\n\n                                                       9\n\x0cRecommendations\n\nWe recommend that the Director, DCP:\n\n    1. Emphasize to examination staff the importance of recording information in\n       SOURCE regarding the basis for decisions on supervisory actions, including\n       when supervisory actions are considered or recommended but ultimately not\n       taken.\n\n    2. Review and update, as appropriate, current controls designed to ensure that\n       relevant information about restitutions is recorded in FIAT and develop formal\n       definitions for voluntary and ordered restitutions to ensure consistent tracking and\n       reporting.\n\n    3. Reinforce to examiners DCP\xe2\x80\x99s policy requirement to create records in SOURCE\n       for matters requiring consultation.\n\n\nRegional Consultation Policies and Procedures\nDCP\xe2\x80\x99s six Regional Offices have each established consultation policies and procedures to\naugment the division\xe2\x80\x99s national consultation procedures contained in the NRE Manual\nand RD Memoranda. The regional policies and procedures identify specific matters that\nrequire consultation among examination teams in local Field Offices and personnel in the\nRegional Offices. We reviewed the regional consultation policies and procedures and\nidentified the following variations:\n\n    \xef\x82\xb7   Restitution. The minimum dollar threshold amount of restitution requiring a\n        consultation ranges from $2,500 to $15,000 among the Regional Offices. In some\n        regions, consultations for restitution are only required for violations of certain\n        laws or regulations and are not tied to dollar thresholds.\n\n    \xef\x82\xb7   Referrals. Regional consultation policies and procedures vary with regard to the\n        apparent violation of specific laws that require a consultation.\n\n    \xef\x82\xb7   RESPA. Some regions require consultations for potential violations of Section 8\n        of RESPA, while others require consultations only for cited or unusual violations\n        of the section.9\n\n    \xef\x82\xb7   Ratings and Supervisory Actions. Only one region requires a consultation to\n        upgrade a financial institution from a \xe2\x80\x9c3\xe2\x80\x9d rating or to terminate an informal\n        supervisory action.\n\n9\n Section 8 of RESPA prohibits anyone from giving or accepting a fee, kickback, or anything of value in\nexchange for referrals of settlement service business involving a federally-related mortgage loan.\nViolations of this section are subject to criminal and civil penalties.\n\n\n                                                   10\n\x0cThe differences we noted warrant review to ensure that consumer compliance issues and\nsupervisory actions are considered and applied in a consistent manner across regions.\nDCP Transmittal No. 2013-013-DCP, issued in December 2013, requires the Regional\nDirectors to review and update their regional consultation procedures to ensure they are\nconsistent with the current national consultation procedures. Accordingly, this is an\nopportune time for the Regional Offices to review and consider the variations noted\nabove.\n\nRecommendation\n\nWe recommend that the Director, DCP:\n\n   4. Review and update, as appropriate, Regional Office consultation policies and\n      procedures to ensure consistency.\n\n\nObservation: Consumer Compliance Rating System\nThe UICCRS was established in 1980 to provide a general framework for evaluating and\nintegrating significant compliance factors in order to assign a consumer compliance\nrating to each federally-regulated commercial bank, savings and loan association, mutual\nsavings bank, and credit union. The purpose of the rating system is to reflect in a\ncomprehensive and uniform fashion the nature and extent of an institution\xe2\x80\x99s compliance\nwith consumer protection and civil rights statutes and regulations. According to the\nUICCRS, all relevant factors must be evaluated and weighed in assigning a consumer\ncompliance rating. In general, these factors include the nature and extent of compliance\nwith consumer protection and civil rights statutes and regulations, the commitment of\nmanagement to compliance and its ability and willingness to take the necessary steps to\nassure compliance, and the adequacy of operating systems, including internal procedures,\ncontrols, and audit activities designed to ensure compliance on a routine and consistent\nbasis. The assignment of ratings may also incorporate other factors that impact\nsignificantly on the overall effectiveness of an institution\xe2\x80\x99s compliance efforts.\n\nWe observed that DCP\xe2\x80\x99s policy and guidance to examiners on assigning compliance\nratings allows more flexibility than the definitions provided in the UICCRS. Specifically,\nthe UICCRS definition for a \xe2\x80\x9c2\xe2\x80\x9d rating states, in part:\n\n       There is no evidence of discriminatory acts or practices, reimbursable violations,\n       or practices resulting in repeat violations.\n\nThe FDIC\xe2\x80\x99s Compliance Examination Manual incorporates this same definition, but also\nstates:\n        In assigning ratings under this system, it is important to recognize that all the\n        attributes in each rating category will not necessarily apply to each institution.\n        \xe2\x80\xa6examiners are expected to use reasoned judgment to reach sensible,\n        supportable conclusions about an institution\xe2\x80\x99s performance based on the totality\n        of the examination findings.\n\n\n                                            11\n\x0cDCP officials informed us that there are circumstances in which examiners may assign a\n\xe2\x80\x9c2\xe2\x80\x9d rating even when reimbursable and/or repeat violations exist. Indeed, we identified\n14 instances in our review of selected financial institutions wherein reimbursable or\nrepeat violations were cited in compliance examination reports and the institution was\nassigned a \xe2\x80\x9c2\xe2\x80\x9d rating. In those instances, it was the judgment of examiners that the\nrestitution amounts and nature of the violations did not warrant lower ratings. We also\nnoted that DCP updated its internal guidance in March 2012 to require the consistent use\nof the term \xe2\x80\x9crestitution,\xe2\x80\x9d rather than \xe2\x80\x9creimbursement,\xe2\x80\x9d to describe payments to harmed\nconsumers.\n\nUnlike the FDIC guidance, the UICCRS does not provide for flexibility in its ratings\ndefinitions. However, the FDIC\xe2\x80\x99s view regarding the application of examiner judgment\nin evaluating the overall risk of an institution seems reasonable, particularly in light of\nthe UICCRS not being updated since 1980. In this regard, the UICCRS may not fully\nreflect current risk-based approaches to supervisory matters. DCP officials informed us\nthat there have been high-level discussions among FFIEC participants about the need to\nclarify the UICCRS ratings definitions.\n\n\nCorporation Comments and OIG Evaluation\nThe Director, DCP, provided a written response, dated March 17, 2014, to a draft of this\nreport. The response is presented in its entirety in Appendix 4. In the response, the\nDirector, DCP, concurred with all four of the report\xe2\x80\x99s recommendations and described\nplanned corrective actions that address the recommendations. A summary of the\nCorporation\xe2\x80\x99s corrective actions is presented in Appendix 5. The planned corrective\nactions are responsive to the recommendations, and the recommendations are resolved.\n\nThe response notes that a draft of this report indicated that one of the FDIC\xe2\x80\x99s Regional\nOffices\xe2\x80\x94the Atlanta Regional Office\xe2\x80\x94did not have regional consultation policies or\nprocedures. The response indicates that based on DCP\xe2\x80\x99s discussions with Atlanta\nRegional Office personnel, the region does have consultation procedures in its Standard\nOperating Procedures manual. Prior to finalizing our report, we obtained and reviewed\nthese procedures and updated our report accordingly. The additional information did not\naffect our findings, conclusions, or recommendations.\n\nIn response to the report\xe2\x80\x99s observation, the Director, DCP, agreed that the UICCRS could\nbe improved by clarifying the ratings definitions. DCP plans to contact other agencies to\ndetermine whether there is mutual interest in updating the UICCRS definitions to address\nour observation and other matters.\n\n\n\n\n                                             12\n\x0c                                                                                Appendix 1\n\n               Objective, Scope, and Methodology\nObjective\n\nThe performance audit objective was to determine whether the FDIC\xe2\x80\x99s actions to address\nconsumer protection violations and deficiencies comply with applicable policies,\nprocedures, and guidelines and the extent to which the actions are consistently handled by\nDCP\xe2\x80\x99s Regional Offices.\n\nWe conducted this audit from April 2013 through January 2014 in accordance with\ngenerally accepted government auditing standards. Those standards require that we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objective. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objective. The conclusions and findings in this report are based on information\nprovided by the FDIC and certain analyses that we performed through January 2014. We\ncaution that projecting the results of our audit to future periods is subject to the risk that\ncontrols may become inadequate because of changes in conditions or because compliance\nwith controls may deteriorate.\n\nScope and Methodology\n\nTo obtain a proper understanding of the FDIC\xe2\x80\x99s controls for addressing consumer\nprotection violations and deficiencies and ensuring a consistent approach, we:\n\n   \xef\x82\xb7   Identified and became familiar with key applicable consumer compliance policies,\n       procedures, and guidelines. Such criteria included, but was not limited to:\n\n            o consumer protection laws and regulations, including ECOA, FHAct, FTC\n              Act, HMDA, Flood Insurance, RESPA, and TILA;\n            o FDIC rules and regulations related to consumer protection;\n            o the FFIEC\xe2\x80\x99s UICCRS definitions;\n            o interagency statements of policy on fair lending, CMPs, and\n              administrative enforcement of TILA;\n            o the Compliance Examination Manual, FIAP Manual, and NRE Manual;\n            o DCP\xe2\x80\x99s consultation and referral procedures;\n            o RD Memoranda related to fair lending, UDAP, RESPA, HMDA, Flood\n              Insurance, TILA, CMPs, and general compliance procedures; and\n            o DCP\xe2\x80\x99s Regional Office consultation policies and procedures.\n\n   \xef\x82\xb7   Identified and became familiar with key controls and processes, such as the role\n       and responsibility of the CRC and DCP\xe2\x80\x99s compliance examination report review\n       process.\n\n\n\n\n                                             13\n\x0c                                                                                             Appendix 1\n\n                  Objective, Scope, and Methodology\n     \xef\x82\xb7   Spoke with Washington Office and Regional Office officials in DCP and the\n         Legal Division about the FDIC\xe2\x80\x99s approach and processes for addressing consumer\n         protection violations and deficiencies.\n\nWe assessed whether the FDIC\xe2\x80\x99s actions to address consumer protection violations and\ndeficiencies complied with applicable policies, procedures, and guidelines and the extent\nto which those actions were consistently handled by reviewing supervisory information\nfor a non-statistical sample of 93 financial institutions. Non-statistical samples are\njudgmental and cannot be projected to the population of institutions. A description of our\nsampling methodology follows.\n\nOur sample consisted of four strata. The first two strata focused on deficiencies and\nviolations, respectively, and were drawn from a universe of 472 institutions that\nSOURCE identified as having been examined from October 1, 2012 to March 31, 2013.\nWithin this universe, SOURCE identified 27 institutions with deficiencies in their\ncompliance management systems and 413 institutions with violations of consumer\nprotection laws or regulations. We selected 16 institutions with deficiencies and\n32 institutions with violations for detailed analysis. We selected these institutions in such\na manner as to obtain representation from all six of DCP\xe2\x80\x99s Regional Offices and a mix of\nviolation types.10\n\nThe second two strata focused on enforcement actions and referrals, respectively, and\nwere drawn from a universe of 570 supervisory actions (covering 546 institutions) and\n29 referrals (covering 29 institutions) that FIAT or DCP indicated were issued or made\nfrom April 1, 2011 to March 31, 2013. We selected 78 supervisory actions (covering\n71 institutions) and 11 referrals for detailed analysis. Our selections were made in such a\nmanner as to obtain representation from all six of DCP\xe2\x80\x99s Regional Offices and a mix of\naction types.11 Table 1 summarizes the institutions that we selected for review.\n\nTable 1: Institutions Selected for Review\n                                                                           Number\n                                                    Total Number                            Percentage\n Sample Strata                                                         of Institutions\n                                                    of Institutions                           of Total\n                                                                          Selected*\n Strata 1: Deficiencies                                  27                     16              59%\n Strata 2: Violations                                   413                     32                8%\n Strata 3: Supervisory Actions                          546                     71              13%\n Strata 4: Referrals                                     29                     11              38%\nSource: FDIC Office of Inspector General (OIG) analysis of deficiencies and violations reflected in\nSOURCE, enforcement actions reflected in FIAT, and referral information provided by DCP.\n* Some institutions were selected more than once for multiple violations or actions covered by our review.\n\n\n10\n   The violations that we selected included noncompliance with provisions of TILA, Flood Insurance,\nECOA, RESPA, HMDA, and other consumer protection laws and regulations. DCP utilizes a three-tiered\nsystem to classify violations to reflect the level of risk of consumer harm resulting from the violation. We\nselected violations at all three levels.\n11\n   Supervisory actions that we selected included BBRs, MOUs, C&Ds/COs, CMPs, and restitution orders.\n\n                                                     14\n\x0c                                                                                           Appendix 1\n\n                  Objective, Scope, and Methodology\nInitially, we selected 126 unique financial institutions for review. After reviewing all of\nthe institutions in Stratas 1 and 2 and most of the institutions in Stratas 3 and 4, it became\nevident to us that we had sufficient evidence to address our audit objective. Accordingly,\nwe discontinued further analysis of institutions in Stratas 3 and 4 as we determined that it\nwould not be cost-beneficial to review the remaining institutions. Table 2 provides a\nbreakdown of the 93 institutions that we reviewed.\n\nTable 2: Institutions Actually Reviewed\n                                    Number of                    Number of\n                                                                                         Percentage\n Strata                       Institutions Selected        Institutions Actually\n                                                                                          Reviewed\n                                   for Review*                  Reviewed**\n  Deficiencies                                    16                          16                   100%\n  Violations                                      32                          32                   100%\n  Supervisory Actions\n     BBR                                             18                          6                 33%\n     MOU                                             18                          9                 50%\n     C&D/CO                                          14                          8                 57%\n     CMP                                             18                         15                 83%\n     Restitution                                     10                          5                 50%\n  Referrals                                          11                          8                 73%\n  Total                                             137                         99                 72%\nSource: OIG analysis of institutions reviewed.\n* Some institutions were selected more than once for multiple violations or supervisory actions.\n** Ninety-three unique institutions were reviewed in total.\n\nOur analysis of supervisory information for the institutions we reviewed was generally\nlimited to information contained in SOURCE, FIAT, RADD, and R3. We also spoke\nwith officials in DCP to follow up on certain issues that we noted during our analysis.\nOur work did not include a review of examination workpapers to determine whether\nexaminers had identified all relevant deficiencies and violations or made all relevant\nreferrals to other agencies.\n\nWe engaged KPMG LLP (KPMG) to perform a detailed analysis of the institutions we\nsampled. KPMG completed an analysis for all but 1 of the 93 institutions. The OIG\nperformed the analysis for the remaining institution because KPMG notified us of a\npotential conflict of interest with that institution. The OIG retained overall responsibility\nfor conducting the audit, and we provided oversight of KPMG\xe2\x80\x99s work in our role as\ncontract oversight manager and technical monitor. In this role, we performed certain\nquality control procedures to assure ourselves that KPMG\xe2\x80\x99s work and results were\nconsistent with professional standards and applicable OIG policies and procedures. The\nOIG\xe2\x80\x99s quality control work was in addition to KPMG\xe2\x80\x99s quality assurance work.\n\n\n\n\n                                                    15\n\x0c                                                                                    Appendix 1\n\n                    Objective, Scope, and Methodology\nInternal Control, Reliance on Computer-processed Information,\nPerformance Measurement, and Compliance with Laws and Regulations\n\nAs described in the Scope and Methodology section of this Appendix, we performed\naudit procedures to identify and obtain an understanding of the FDIC\xe2\x80\x99s controls for\naddressing consumer protection violations and deficiencies and ensuring a consistent\napproach. We also assessed the implementation of those controls by performing a\ndetailed analysis of a sample of institutions. Consistent with our audit objective, we\ndid not assess the adequacy of DCP\xe2\x80\x99s overall internal control or management control\nenvironment. Our report identifies certain internal control weaknesses warranting\nmanagement\xe2\x80\x99s attention.\n\nWe relied on data in SOURCE and FIAT to select a sample of institutions for detailed\nanalysis.12 We determined that the data in these systems was sufficiently reliable for\npurposes of selecting a sample based on the nature of our planned testing, a comparison\nof information in various reports and documents generated by other information systems,\nand discussions with DCP management. Although DCP uses various systems to capture\ninformation related to consumer violations and deficiencies, we determined that\ninformation system controls were not significant to our objective. Accordingly, we did\nnot assess the design or effectiveness of information system controls as part of this\naudit. However, for each of the sampled items, we did evaluate whether DCP\ninformation systems appropriately captured pertinent information about the supervisory\nactions taken or considered.\n\nThe Government Performance and Results Act of 1993 (the Results Act), as amended,\ndirects Executive Branch agencies to develop a customer-focused strategic plan, align\nagency programs and activities with concrete missions and goals, and prepare and\nreport on annual performance plans. We identified one DCP Divisional Goal\nestablished in 2012 that was relevant to our audit objective. The goal states:\n\n           Take prompt and effective supervisory action to address problems identified\n           during compliance examinations of FDIC-supervised institutions that receive a\n           composite \xe2\x80\x9c3,\xe2\x80\x9d \xe2\x80\x9c4,\xe2\x80\x9d or \xe2\x80\x9c5\xe2\x80\x9d rating for compliance with consumer protection and\n           fair lending laws, and to ensure that each institution is fulfilling the requirements\n           of any corrective program that has been implemented and that the actions taken\n           by the banks are effectively addressing the underlying concerns identified during\n           the examination.\n\nAs mentioned previously in this report, we found that follow-up examinations or visits\nfor the institutions in our sample were conducted in a timely manner.\n\nRegarding compliance with laws and regulations, our report identifies weaknesses in\ninternal controls that, if not addressed, could lead to incomplete tracking and reporting\n12\n     The sample of referrals was selected from a separate list maintained by DCP.\n\n                                                      16\n\x0c                                                                             Appendix 1\n\n               Objective, Scope, and Methodology\npertaining to consumer compliance activities. In addition, we assessed the risk of fraud\nand abuse related to our objective in the course of evaluating audit evidence.\n\n\n\n\n                                            17\n\x0c                                                                          Appendix 2\n\n\n                            Glossary of Terms\n      Term                                       Definition\n\nBank Board       BBRs are informal commitments adopted by a financial institution\xe2\x80\x99s\nResolution       Board of Directors (often at the request of the FDIC) directing the\n(BBR)            institution\xe2\x80\x99s personnel to take corrective action regarding specific\n                 noted deficiencies. BBRs may also be used as a tool to strengthen\n                 and monitor an institution\xe2\x80\x99s progress with regard to a particular\n                 component rating or activity.\nCease-and-Desist Orders may be issued to stop violations of law, rule, or regulation or\nOrders (C&D      unsafe or unsound practices, as well as to require affirmative action\nOrders or        to correct any conditions resulting from such violations or practices.\nConsent Orders) Orders may be issued after notice and hearing, or after stipulation by\n                 the institution. By ordering an institution to cease and desist from\n                 violations or practices and/or to take affirmative actions, the FDIC\n                 may prevent the institution\xe2\x80\x99s problems from reaching such serious\n                 proportions as to require more severe corrective measures. Section\n                 8(b) of the FDI Act authorizes the FDIC to issue Orders.\nCivil Money      Section 8(i) of the FDI Act grants the FDIC authority to impose\nPenalties (CMP) CMPs against insured depository institutions and institution-\n                 affiliated parties. CMPs may be assessed for violations of final and\n                 temporary orders, written agreements with the FDIC, and laws and\n                 regulations; unsafe and unsound practices; and breaches of fiduciary\n                 duty.\nCommunity        The Community Reinvestment Act encourages federally insured\nReinvestment     banks to meet the credit needs of their entire community. Part 345\nAct (CRA)        of the FDIC Rules and Regulations states that each appropriate\n                 federal financial supervisory agency is required to assess an\n                 institution\xe2\x80\x99s record of helping to meet the credit needs of the local\n                 communities in which the institution is chartered, consistent with the\n                 safe and sound operation of the institution, and to take this record\n                 into account in the agency\xe2\x80\x99s evaluation of an application for a\n                 deposit facility by the institution.\nEqual Credit     ECOA prohibits certain discriminatory practices, including creditor\nOpportunity Act practices that discriminate based on race, color, religion, national\n(ECOA)           origin, sex, marital status, or age.\nFair Housing Act FHAct prohibits discrimination based on race, color, religion,\n(FHAct)\xe2\x80\x94the      national origin, sex, family status, and handicap in residential real\nCivil Rights Act estate-related transactions. HUD\xe2\x80\x99s regulations implementing FHAct\nof 1968, Title   are found at 24 CFR Part 100. The FDIC Rules and Regulations,\nVIII             Part 338, Fair Housing, is the FDIC\xe2\x80\x99s implementing regulation for\n                 FHAct.\nHome Mortgage HMDA was enacted to provide information to the public and federal\nDisclosure Act   regulators regarding how depository institutions are fulfilling their\n(HMDA)           obligations towards community housing needs. The regulation\n\n\n                                          18\n\x0c                                                                           Appendix 2\n\n\n                          Glossary of Terms\n                 requires an institution to report data to its supervisory agency about\n                 home purchase loans, home improvement loans, and refinancings\n                 that it originates or purchases, or for which it receives applications,\n                 and to disclose certain data to the public.\nMemorandum of    An MOU is an informal agreement between an institution and the\nUnderstanding    FDIC, which is signed by both parties. A State Authority may also\n(MOU)            be a party to the agreement. MOUs are designed to address and\n                 correct identified weaknesses in an institution\xe2\x80\x99s compliance position.\n                 The FDIC generally uses MOUs instead of BBRs, especially when\n                 there is reason to believe the deficiencies noted during an\n                 examination need a more structured program or specific terms to\n                 effect corrective action.\nReal Estate      RESPA covers loans secured with a mortgage placed on a one-to-\nSettlement       four family residential property. These include most home purchase\nProcedures Act   loans, assumptions, refinancings, property improvement loans, and\n(RESPA)          equity lines of credit. RESPA requires that borrowers receive\n                 disclosures at various times. Some disclosures spell out the costs\n                 associated with settlement, outline lender servicing and escrow\n                 account practices, and describe business relationships between\n                 settlement service providers.\nReferrals        ECOA provides for referrals to DOJ or notifications to HUD of\n                 suspected instances of credit discrimination as well as certain other\n                 violations of ECOA or FHAct. The referral provisions of ECOA\n                 require that the federal financial institution regulatory agencies refer\n                 matters to DOJ whenever the agency has reason to believe that a\n                 creditor has engaged in a pattern or practice of discouraging or\n                 denying applications for credit in violation of ECOA\xe2\x80\x99s general rule\n                 prohibiting discrimination. Further, whenever one of the agencies\n                 has reason to believe, as a result of receiving a consumer complaint,\n                 conducting a consumer compliance examination, or otherwise, that:\n                 (a) a violation of ECOA has occurred, and (b) has reason to believe\n                 that the alleged violation would also be a violation of the FHAct,\n                 and (c) does not refer the matter to DOJ, the agency must notify\n                 HUD of the alleged violation.\nRestitution      Financial consumer protection laws and regulations are designed to\n                 protect consumers in financial transactions. Violations of such laws\n                 and regulations can result in harm to consumers where restitution is\n                 appropriate. Restitution can be voluntary or ordered. According to\n                 DCP officials, voluntary restitution occurs when an institution\n                 agrees to pay restitution immediately upon notification of a violation\n                 and before the conclusion of the examination. Ordered restitution\n                 occurs when the FDIC pursues an enforcement action to compel an\n                 institution to pay restitution. Section 8(b)(6)(A) of the FDI Act\n                 authorizes the FDIC to issue restitution orders.\n\n                                         19\n\x0c                                                                        Appendix 2\n\n\n                         Glossary of Terms\nTruth in         Contained in Title I of the Consumer Credit Protection Act, the\nLending Act      Truth in Lending Act requires meaningful disclosure of credit and\n                 leasing terms.\nUnfair or        Section 5 of the Federal Trade Commission Act prohibits unfair or\nDeceptive Acts   deceptive acts or practices in or affecting commerce. Such acts or\nor Practices     practices are illegal; can cause significant financial injury to\n(UDAP)           consumers; erode consumer confidence; and present significant\n                 credit and asset quality risk, undermining the financial soundness of\n                 banking organizations.\nUniform          The UICCRS was approved by the Federal Financial Institutions\nInteragency      Examination Council to reflect in a comprehensive and uniform\nConsumer         fashion the nature and extent of an institution\xe2\x80\x99s compliance with\nCompliance       consumer protection and civil rights statutes and regulations. The\nRating System    rating system is based upon a scale of 1 through 5 in increasing\n(UICCRS)         order of supervisory concern. Thus, \xe2\x80\x9c1\xe2\x80\x9d represents the highest rating\n                 and consequently the lowest level of supervisory concern, while \xe2\x80\x9c5\xe2\x80\x9d\n                 represents the lowest, most critically deficient level of performance\n                 and, therefore, the highest degree of supervisory concern.\n\n\n\n\n                                       20\n\x0c                                                                 Appendix 3\n\n\n               Acronyms and Abbreviations\nAcronym:      Explanation:\nBBR           Bank Board Resolution\nC&D Order     Cease and Desist Order\nCFPB          Consumer Financial Protection Bureau\nCMP           Civil Money Penalties\nCRA           Community Reinvestment Act\nCO            Consent Order\nCRC           Case Review Committee\nDCP           Division of Depositor and Consumer Protection\nDOJ           Department of Justice\nECOA          Equal Credit Opportunity Act\nFDI Act       Federal Deposit Insurance Act\nFDIC          Federal Deposit Insurance Corporation\nFFIEC         Federal Financial Institutions Examination Council\nFHAct         Fair Housing Act\nFIAP Manual   Formal and Informal Action Procedures Manual\nFIAT          Formal and Informal Action Tracking System\nHMDA          Home Mortgage Disclosure Act\nHUD           Department of Housing and Urban Development\nKPMG          KPMG LLP\nMOU           Memorandum of Understanding\nNRE Manual    National Review Examiner Manual\nOIG           Office of Inspector General\nR3            Regional Report Repository\nRADD          Regional Automated Document Distribution and Imaging System\nRD            Regional Directors\nRESPA         Real Estate Settlement Procedures Act\nSOURCE        System of Uniform Reporting of Compliance and CRA Examinations\nTILA          Truth in Lending Act\nTreasury      Department of the Treasury\nUDAP          Unfair or Deceptive Acts or Practices\nUICCRS        Uniform Interagency Consumer Compliance Rating System\nViSION        Virtual Supervisory Information On the Net\n\n\n\n\n                                    21\n\x0c                                                                                                           Appendix 4\n\n                             Corporation Comments\n\n\nFederal Deposit Insurance Corporation\n550 17th Street NW, Washington, D.C. 20429-9990                             Division of Depositor and Consumer Protection\n\n                                                                                       March 17, 2014\n\n TO:                  Stephen M. Beard\n                      Deputy Inspector General for Audits and Evaluations\n\nFROM:                 Mark Pearce /Signed/\n                      Director\n\nSUBJECT:              Draft Audit Report Entitled, The FDIC's Actions to Address Consumer\n                      Protection Violations and Deficiencies (Assignment No. 2013-001)\n\n The Division of Depositor and Consumer Protection (DCP) reviewed the above-titled audit,\n the first OIG audit related to DCP\xe2\x80\x99s operation since FDIC created the Division in 2011. DCP concurs with the\n OIG findings that:\n\n          1. DCP\xe2\x80\x99s actions to address consumer protection violations and deficiencies in FDIC-\n             supervised institutions are generally aligned with applicable policies, procedures, and\n             guidelines, and are generally handled consistently by DCP\xe2\x80\x99s Regional Offices;\n          2. examination reports identified the specific violations, their nature and cause, and\n             institutions\xe2\x80\x99 responses;\n          3. examinations and visits are conducted in a timely manner; and\n          4. Civil Money Penalties, when issued, were well-supported including Legal opinions.\n\n The audit report identifies four recommendations and one observation to enhance processes for\n addressing consumer protection violations and deficiencies identified during compliance\n examinations. DCP agrees with all of the recommendations in the audit report. The specific\n actions DCP will undertake to address each of the recommendations and the observation are\n described briefly below.\n\n OIG Audit Recommendation 1: Emphasize to examination staff the importance of recording\n information in SOURCE regarding the basis for decisions on supervisory actions, including\n when supervisory actions are considered or recommended, but ultimately not taken.\n\n DCP Response: Documentation of the consultation process is covered in the revised\n Consultation Policy and will be discussed at the Review Examiners Training Session in August\n 2014. While Review Examiners have primary responsibility for maintaining consultation\n records in SOURCE, DCP will distribute information about the expected documentation to all\n examination-related staff as an update to the National Review Examiner Manual which will be\n completed by September 30, 2014.\n\n\n\n\n                                                    22\n\x0c                       Appendix 4\n\nCorporation Comments\n\n\n\n\n         23\n\x0c                       Appendix 4\n\nCorporation Comments\n\n\n\n\n         24\n\x0c                                                                           Appendix 5\n\n\n   Summary of the Corporation\xe2\x80\x99s Corrective Actions\nThis table presents corrective actions taken or planned by the Corporation in response to\nthe recommendations in the report and the status of the recommendations as of the date of\nreport issuance.\n\n\n Rec.    Corrective Action: Taken          Expected    Monetary   Resolved:a    Open or\n No.     or Planned                       Completion   Benefits   Yes or No     Closedb\n                                             Date\n\n   1     Documentation expectations       9/30/2014      N/A         Yes         Open\n         in the revised national\n         consultation policy will be\n         discussed at the Review\n         Examiners Training session\n         in August 2014. In addition,\n         DCP will distribute\n         information regarding\n         documentation expectations\n         to all examination staff as an\n         update to the NRE Manual.\n   2     DCP will review current          9/30/2014      N/A         Yes         Open\n         instructions on voluntary and\n         ordered restitution and revise\n         them as needed. In addition,\n         the revised definitions and\n         usage of FIAT will be\n         discussed at the Review\n         Examiner Training session in\n         August 2014. Further, the\n         revisions will be distributed\n         to all examination staff as an\n         update to the NRE Manual.\n   3     Requirements for                 9/30/2014      N/A         Yes         Open\n         documenting consultations in\n         SOURCE were updated in\n         the revised national\n         consultation policy and will\n         be included in regional\n         consultation policies as\n         discussed in the corrective\n         action for\n         Recommendation 4. The\n         updates will be\n         communicated to all\n         examination staff through\n         planned updates to the\n         regional consultation policies\n         and the NRE Manual.\n\n\n                                              25\n\x0c                                                                                              Appendix 5\n\n      Summary of the Corporation\xe2\x80\x99s Corrective Actions\n\n    Rec.     Corrective Action: Taken            Expected         Monetary        Resolved:a       Open or\n    No.      or Planned                         Completion        Benefits        Yes or No        Closedb\n                                                   Date\n\n      4      A team including one                 6/30/2014          N/A              Yes            Open\n             Review Examiner from each\n             region has been established\n             to review all of the regional\n             consultation policies and\n             procedures. The team will\n             develop recommendations to\n             ensure that the policies are\n             consistent regarding the\n             types of issues that are\n             included, time frames for\n             processing, and protocols\n             that are aligned with the\n             national consultation policy.\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed\n                   corrective action is consistent with the recommendation.\n              (2) Management does not concur with the recommendation, but alternative action meets the intent\n                   of the recommendation.\n              (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount.\n                  Monetary benefits are considered resolved as long as management provides an amount.\nb\n  Recommendations will be closed when (a) Corporate Management Control notifies the OIG that corrective\nactions are complete or (b) in the case of recommendations that the OIG determines to be particularly\nsignificant, when the OIG confirms that corrective actions have been completed and are responsive.\n\n\n\n\n                                                       26\n\x0c"